Merkle Puzzles Are Optimal

Presentation on theme: "Merkle Puzzles Are Optimal"— Presentation transcript:

Merkle Puzzles Are Optimal
Boaz Barak Mohammad Mahmoody-Ghidary TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAAAAAAAAAA

Some faces of modern cryptography
Merkle KA n2 sec, ideal OWF RSA TDP exp(n) sec, factoring* Naor-Yung SIG exp(n) sec, OWF* 1974 1976 1977 1978 1989 Diffie-Hellman KA exp(n), ~dlog* Rabin TDP ~exp(n), factoring Stone Age Fundamental Question: Is there OWF based KA with super poly security? Impagliazzo-Rudich 89: No KA based on random oracle can be proven more than n6 secure in black-box way. Why is it important?

Some faces of modern cryptography
Merkle KA n2 sec, ideal OWF RSA TDP exp(n) sec, factoring* Naor-Yung SIG exp(n) sec, OWF* 1974 1976 1977 1978 1989 Diffie-Hellman KA exp(n), ~dlog* Rabin TDP ~exp(n), factoring Stone Age Fundamental Question: Is there OWF based KA with super poly security? Impagliazzo-Rudich 89: No KA based on random oracle can be proven more than n6 secure in black-box way. Our Result: Improve IR89’s bound to n2 Theoretical motivation: power of interaction Practical motivation: rule out protocol w/ 109 operations 1054 security [Biham-Ishai-Goren08]

Talk Plan Formal defs and model. Overview of Merkle’s Protocol
Description of our attacking algorithm Analysis of attack.

Formal Defs H Def: Key exchange protocol Alice Bob sA sB
Correctness: Security: For every eavesdropping adv outputting sE Random oracle model: All parties have black-box access to a random function H:{0,1}n{0,1}n (same model, different motivation than [Bellare-Rogaway 93]) This talk: Complexity = # queries to H

Our Result H Main Thm: 8 n-query protocol, 9 O((n/²)2)-query Eve s.t.
Alice sA sB H Bob Our Result Main Thm: 8 n-query protocol, 9 O((n/²)2)-query Eve s.t. Pr[ sE = sA ] > Pr[ sA= sB ] - ² Def: q2{0,1}n is intersection query (IQ) for some execution of a protocol, if both Alice and Bob make the query q to H(). Main Thm follows from: Main Lemma:8 n-query protocol, 9 O((n/²)2)-query Eve Pr[Eve makes all IQ’s] > 1 - ² Intuition: w.l.o.g, last queries of Alice and Bob are sA, sB.

Main Lemma:8 n-query protocol, 9 O((n/²)2)-query Eve
Pr[Eve makes all IQ’s] > 1 – O(²) Alice sA sB H Bob Attack Algorithm: Can show: E[# Eve’s queries ] · O(n2/²) Need: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · ²/n Intuition: If Eve didn’t miss any IQ so far, it has as much chance at hitting Alice’s next query as Bob does.

Lemma: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · 10²/n
Proof attempt: Suppose not, Alice’s ith query q=qi is the first one missed. Eve knows all messages and all shared queries of Alice and Bob. Oracle gives random answers in all non-shared locations. (*) Alice’s and Bob’s views are independent conditioned on Eve’s knowledge Bob’s view Fix Alice’s view A= (rA,hA) that still makes Pr[miss] > 10²/n (*) is false. Cause of [IR89]’s technical complexity: handled by making more queries, show non-independence  Eve “makes progress” per query. We show directly that views are close to being independent. (small mutual information) Alice’s view ¹ ( ) ¸ 10²/n But then>²/n overall prob that q asked by Bob- contradiction! Bad set

Lemma: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · ²/n
Proof attempt: Suppose not, Alice’s ith query q=qi is the first one missed. Eve knows all messages and all shared queries of Alice and Bob. Oracle gives random answers in all non-shared locations. (*) Alice’s and Bob’s views are independent conditioned on Eve’s knowledge Bob’s view Fix Alice’s view A=(rA,hA) that still makes Pr[miss] > 10²/n Alice’s view We show: 8 A,B ¹( ) >5²/n Implies Bad set

Views are “almost” independent
Depends only on |rA|,|QA| Depends only on |rB|,|QB| Thus theorem follows from: Cor: Probabilities in product and non-product are same up to mult factor of 0.99

N M ®M

Main Lemma:8 n-query protocol, 9 O((n/²)2)-query Eve
Pr[Eve learns all IQ’s] > 1 – O(²) Alice sA sB H Bob Attack Algorithm: Proved: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · 10²/n Cor: Pr[ Eve misses some IQ ] · 10² Left to do: E[# Eve’s queries ] · O(n2/²)

Efficiency of attack Attack Algorithm:
Left to do: E[# Eve’s queries ] · O(n2/²) Lemma: E[# Eve’s queries ] · O(n2/²)

Open Questions O(n2) bound for random permutations (we improve [IR89]’s O~(n12) bound to O(n4)) can also consider ideal cipher, other “symmetric” primitives. Rule out a construction with non-trivial (i.e., !(n) ) security w.r.t. quantum adversaries?? Find non-black-box constructions of key exchange from one-way functions, or other “unstructured” assumptions.

Similar presentations